Skip to main content

Nx CVE-2026-54753

| EUVDEUVD-2026-39831 MEDIUM
Exposed Dangerous Method or Function (CWE-749)
2026-06-26 GitHub_M
5.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
5.9 MEDIUM

AV:N because attacker JS triggers cross-origin requests over the network; AC:H because nx graph must be actively running; UI:R because the developer must visit the malicious page; C:H for full project graph disclosure; I:L for limited /help injection path.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 19:25 vuln.today
Analysis Generated
Jun 26, 2026 - 19:25 vuln.today

DescriptionCVE.org

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin - including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.

AnalysisAI

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while nx graph is running locally. The server unconditionally broadcasts Access-Control-Allow-Origin: *, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Developer runs nx graph on workstation
Delivery
Attacker lures developer to malicious website
Exploit
Attacker JS fetches localhost Nx graph server endpoints
Execution
Browser delivers response body (CORS wildcard bypasses SOP)
Persist
Attacker reads full project graph and workspace metadata
Impact
Optionally triggers /help endpoint to execute workspace-defined command on developer machine

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to be true simultaneously: (1) the developer has actively invoked `nx graph` on their workstation, starting the local HTTP server - this is a development-time command absent from production, CI pipelines, and deployed infrastructure; (2) the developer visits an attacker-controlled or compromised website in the same browser session while `nx graph` is running; and (3) the attacker knows or can enumerate the local port the Nx graph server binds to. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N accurately reflects the constrained nature of exploitation: network-reachable via browser, but high complexity (requires the developer to have `nx graph` running simultaneously with a browser visit to an attacker-controlled page) and mandatory user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious webpage containing JavaScript that polls common localhost ports for the Nx graph server. A developer with `nx graph` running visits the page, and the attacker's script issues cross-origin `fetch()` calls to `http://localhost:<port>/` - the wildcard CORS header causes the browser to hand over the full response body, leaking the project graph including internal package names, dependency relationships, and target configurations. …
Remediation Vendor-released patch: 22.7.2 (stable) and 23.0.0-beta.2 (beta). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy